Roles and Responsibilities of Different Actors Webinar for the GCCS2015 Myriam Dunn Cavelty 16 March 2015 1 Myriam Dunn Cavelty, 16 March 2015 Key Questions • What type of actors have traditionally had what kind of roles and responsibilities? • How have expectations about them changed over the years? • What are the problems that we encounter from a human rights perspective? • How can / should civil society get involved? 2 Myriam Dunn Cavelty, 16 March 2015 Aims of this Presentation • To further our understanding of different expectations and positions in the cybersecurity debate • To enable us to better identify common grounds between the different actors going forward • To enable us to understand the main problems arising from this and to design strategies for optimal civil society input 3 Myriam Dunn Cavelty, 16 March 2015 Structure of Webinar 1. A Short History of Cybersecurity Policy Concerns 2. The Main Actors: • State • Private Sector / Businesses • Citizens (Civil Society) 3. The Main Issues at the Interface: • Public-Private Partnership (State – Private Sector) • Surveillance (State - Citizens) 4. The Way Forward 4 Myriam Dunn Cavelty, 16 March 2015 Short History of Cybersecurity Policy Concerns 5 Myriam Dunn Cavelty, 16 March 2015 www.css.ethz.ch Policy Dynamics in the 1980s • „Hacking“ comes to the attention of the policy community • Cyber-crime interlinked with foreign intrusion/espionage → elevated to a national security issue! • Main concern: prevention of damaging disclosures of classified information • But: Problem rather limited due to nature of the information infrastructure (no mass phenomenon) • Main actors: Government (law enforcement) & tech community 6 Myriam Dunn Cavelty, 16 March 2015 Policy Dynamics in the 1990s • Increasingly networked systems, rapid technological development (commercialisation) • Quantitative increase in cyber-incidents (statistics) • Gulf War 1991/92, development of Information Warfare ideas • Critical infrastructures become focal point • Information revolution leads to novel vulnerabilities (interdependent softwarebased control systems) • Capabilities of “new” malicious actors seem enhanced: inexpensive, ever more sophisticated, rapidly proliferating, easy-to-use tools in cyberspace (buzzword: Cyber-terror) • Asymmetry as defining feature • Liberalization! (moves national security relevant assets away from the government) • Main actors: government (military and homeland defense), private sector 7 Myriam Dunn Cavelty, 16 March 2015 Policy Dynamics in the 2000s • Increasing quantity, quality, attention of/on attacks • Stuxnet • Flame • «Mega»-Hacks • Targeted attacks • Non-state (Hacktivism) • Organized crime • State (APTs) • Cyber-«Arms Race» • Security Dilemma Increasing Securitization! = even sub-issues are turned into national security issues 8 Myriam Dunn Cavelty, 16 March 2015 Main Actors 9 Myriam Dunn Cavelty, 16 March 2015 www.css.ethz.ch Roles & Responsibilities in Cybersecurity • State: • Responsibility to protect own assets (i.e. government functions) • Responsibility to provide security & safety • Private Sector: • Responsibility to protect own assets • Responsibility to provide additional security for critical infrastructures • Society: • Responsibilty to protect own assets (home computers) • Responsibility to be «aware» of the risk • Responsibility to be a «good» cyber-citizen Not everyone’s security is the same 10 Myriam Dunn Cavelty, 16 March 2015 The Dilemma of the State • Power to resist vulnerability and to exploit vulnerability disappears • downwards (localisation), • upwards (trans- or supranationalisation), or • sideways (privatisation) • State can no longer „go it alone“ – private actors increasingly important • Non-state actors threaten • Non-state actors directly threatened • Non-state actors needed for definition AND enactment of security policy 11 Myriam Dunn Cavelty, 16 March 2015 Bureaucratic Power Politics • Cybersecurity is seen from different perspectives • IT-security issue • Economic issue • Law-enforcement issue • National security issue • Overlaps and no clear-cut boundaries • Different groups within the government do not necessarily agree on what the problem is and what needs to be protected • The differing positions demand different allocation of responsibility and countermeasures 12 Myriam Dunn Cavelty, 16 March 2015 Companies: a diverse bunch • «At the forefront» • • • • Exposed to cyberthreats daily Some shape use of cyberspace considerably Some directly shape cybersecurity landscape (i.e. Anti-Virus companies) There is a lot of power in the hands of a few • Diverse bunch of actors! Diverse set of interests • • • • • • 13 Different sectors Some are Critical Infrastructure Providers Some are Small and Medium Sized Enterprises Some are norms shapers Some earn money from cyber-in-security …. Myriam Dunn Cavelty, 16 March 2015 Society: Empowered? “On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently, and made them seem unbeatable. But now, the more traditional institutional powers are winning, and winning big. How these two sides fare in the long term, and the fate of the rest of us who don't fall into either group, is an open question -- and one vitally important to the future of the Internet.” Bruce Schneier, The Battle for Power on the Internet 14 Myriam Dunn Cavelty, 16 March 2015 The Main Issues 15 Myriam Dunn Cavelty, 16 March 2015 www.css.ethz.ch Expectations • States expect private companies to help them guarantee national security • The private sector expects to make money (i.e. with our data) • Society expects the state to provide security for everyone State Society 16 Myriam Dunn Cavelty, 16 March 2015 SECURI TY Private Sector State Response Strategies • State-state • Coordination within the public sector in order to foster coherent responses (state – state inside) • International cooperation (state – state outside) • Cyber-crime • Confidence building measures • Arms control? • State-private sector • Public-private collaboration to • enable a better exchange of information • enhance level of security • provide incentives? • State-society • Public awareness campaigns • Increasing surveillance of digital content 17 Myriam Dunn Cavelty, 16 March 2015 State – Private Sector 18 Myriam Dunn Cavelty, 16 March 2015 Different PPPs – Different Rationales for their Formation • Information-sharing about incidents and potential countermeasures • Early warning • Mutual support during incidents • Prosecution of attackers • Joint funding of R&D or awareness-raising campaigns • Joint policy development and strategy building 19 Myriam Dunn Cavelty, 16 March 2015 Public Private Partnerships • PPP concept originally developed in a completely different context: in the field of administrative reform in the 1980s (New Public Management) • Subsequently, PPP concept adopted uncritically by many governments for CIP policy at the end of the 1990s • Cooperation programs following the PPP prototype are part of all existing initiatives in the field of CI(I)P • Some successfully facilitate i.e. the exchange of information between both sides • Others, however, have scarcely generated more than joint statements of intent of the actors involved • This causes a number of problems in the implementation of such forms of cooperation and causes feelings of disillusionment 20 Myriam Dunn Cavelty, 16 March 2015 4 Problems • Diverging interests • Trust • Costs • Voluntary character 21 Myriam Dunn Cavelty, 16 March 2015 State – Citizens 22 Myriam Dunn Cavelty, 16 March 2015 The Social Contract 23 Myriam Dunn Cavelty, 16 March 2015 Liberty Security social and political freedoms guaranteed to all citizens power and privileges given to state Balance is chosen in a process of social/political negotiation 24 Myriam Dunn Cavelty, 16 March 2015 The End of Certainty Actor ? Potential 25 Intention Myriam Dunn Cavelty, 16 March 2015 • Cold War: Threat direct, intended, knowable/known • Today: Threat indirect, unintended, uncertain, unknown • No longer Threats but diffuse Risks • Security paradigm changes from defense towards risk prevention • State reaction: • Focus on vulnerabilities (of society / infrastructure) • Data collection • Target: anyone, because everyone is potentially dangerous The Surveillance «Dilemma» Fundamentally insecure technologies that penetrate more and more parts of our lives Increased insecurities in security politics (risks) • Data hunger! • Easily collectable data about the behavior of everyone • Most people generate this data willing (convenience, beneftis, etc.) • New algorithms that try to predict behavior 26 Myriam Dunn Cavelty, 16 March 2015 Security Dilemma • National security considerations in and through cyberspace are increasing in (strategic) importance • Data collection in and through cyberspace is increasing due to national security reasons • The focus on the state and “its” security crowds out consideration for the security of the individual citizen. • The type of security currently produced is often not security (directly) relevant to the people = A problem for human security is created 27 Myriam Dunn Cavelty, 16 March 2015 The Way Forward 28 Myriam Dunn Cavelty, 16 March 2015 www.css.ethz.ch Role for Civil Society • Given range of legitimacy and normative concerns, even deeper engagement of civil society than in other areas seems desirable • Civil society organizations can rally together to help break down barriers to engagement and ensure more qualitative and inclusive multi-lateral processes. • Should focus on enhancing their role with regards to: • i) Engaging Effectively; • ii) Fostering Transparency and Accountability; and • iii) Deepening Knowledge. 29 Myriam Dunn Cavelty, 16 March 2015 Role for Civil Society • Combined, these measures can • strengthen the legitimacy and sustainability of on-going processes; • ensure that broader normative concerns are attended to, and that the right technical expertise is leveraged when solutions are being sought; and • ultimately help build trust between states and between state and society. 30 Myriam Dunn Cavelty, 16 March 2015 Contact Information Thank you! Dr. Myriam Dunn Cavelty Center for Security Studies, ETH Zurich CH-8092 Zürich Switzerland dunn@sipo.gess.ethz.ch 31 Myriam Dunn Cavelty, 16 March 2015